What OS are you using? You would need to isolate this the way that it runs e.g. separate machine and communicates in a properly filtered way, as well that the remote shell and exploit doesnt work and it has some firewall too. Actually I am looking for the same to be done in Ubuntu 12, were there is AppArmor for this.
–
Andrew SmithJul 16 '12 at 21:28

Did you mean web service as in SOAP/REST or just a web application portal?
–
Kapish MJul 17 '12 at 1:08

3 Answers
3

An audit should be performed by a person that was not involved in the creation of your service and infrastructure. That may be another team or department of your company – or some external consultancy.

Checking that you've used cryptography properly is a little tricky, and requires special expertise. I would not expect a typical black-box penetration test to be a very effective way of checking it, or a good use of your money. Instead, you probably want a security audit or security review, preferably by someone familiar with cryptography.

One of the best ways to reduce risk is to minimize the extent to which you are designing your own encryption method. In cryptographer parlance: don't roll your own crypto. For instance, you might encrypt the data using GPG (or something that encrypts to OpenPGP format).

I've read that post a few times, even asked a question about PGP as a result: security.stackexchange.com/questions/17077/… Basically I've determined that I am not able to use PGP or GPG and have to "roll my own crypto" (which is an awfully vague expression in my opinion). But having said that, I think a security audit seems to be my only option, so thanks for the confirmation
–
crawfishJul 17 '12 at 18:55